Description
CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
Published: 2026-06-25
Score: 8.6 High
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in Schneider Electric PowerLogic™ P7’s network‑exposed service. It allows an attacker who has gained privileged authenticated access to inject arbitrary and potential compromise of system integrity, confidentiality, and availability.

Affected Systems

Schneider Electric PowerLogic™ P7 devices are affected. No specific firmware or serial versions are listed in the vendor data.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. The EPSS score of 1% shows a low but non‑zero exploitation probability, reflecting that the flaw is considered unlikely to be widely exploited yet. The flaw is not listed in CISA KEV, suggesting no publicly known, active exploitation at this time. The attack vector requires a privileged authenticated user to interact with the vulnerable service, implying that an attacker must already have some level of authorized access before exploiting the command injection. If successful, the exploited commands would run with the privileges of the authenticated user, enabling broader system compromise.

Generated by OpenCVE AI on June 26, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued firmware or software update that addresses the command‑execution exposure of the affected service by limiting ingress to trusted IP ranges or by placing the device behind a firewall that blocks unauthenticated traffic.
  • Enforce the principle of least privilege for accounts that can access the service; remove unnecessary administrative rights and consider separating user roles for production maintenance.
  • Audit and disable any unnecessary services on the device to reduce the attack surface.

Generated by OpenCVE AI on June 26, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Schneider Electric PowerLogic P7 Network Service

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerlogic P7
Vendors & Products Schneider-electric
Schneider-electric powerlogic P7

Thu, 25 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Schneider Electric PowerLogic P7 Network Service

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Schneider-electric Powerlogic P7
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-06-25T15:50:30.499Z

Reserved: 2026-05-27T16:02:10.875Z

Link: CVE-2026-9717

cve-icon Vulnrichment

Updated: 2026-06-25T15:50:27.524Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:30:02Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')